« October 3, 2008 | Main | November 25, 2008 »

October 14, 2008 Archives

October 14, 2008

October 2008 Critical Patch Update Released

By eric.maurice on October 14, 2008 12:00 PM

Hi, this is Eric Maurice!

Oracle today released the October 2008 Critical Patch Update (CPUOct2008).

The Critical Patch Update (CPU) includes fixes for 36 new security vulnerabilities across a large number of products: Oracle Database Server, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, and Oracle WebLogic. Fifteen of these 36 vulnerabilies affect Oracle Database Server. One of the Database Server vulnerabilities is remotely exploitable without authentication. Note also that three of the Application Server vulnerabilities affect client-only installations. Finally, the CVSS Base Scores for the vulnerabilities fixed in this CPU (an indication of their relative severity) range between 1.0 and 10.00 (on a scale of 10.0). See our previous blog entry series for more information about CVSS and an explanation of the CVSS base scoring formula.

The most severe vulnerability fixed in this CPU (CVE-2008-4008 with a CVSS Base Score of 10.0) affects the Apache plugin for Oracle WebLogic Server (formerly BEA WebLogic). This is not vulnerability CVE-2008-3257, which was fixed in a previously issued Security Alert, though a fix for this vulnerability is also included in this CPU (fixes for BEA WebLogic plugins are cumulative). Vulnerability CVE-2008-4008 is a new vulnerability which was reported to Oracle shortly before the creation of this CPU. A fix for this vulnerability was therefore included in this CPU in order to provide a prompt resolution and to help ensure that the security posture of WebLogic customers is maintained.

Oracle strongly encourages all customers to apply this CPU as soon as possible.


For More Information:

Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm

Security Advisories and Notifications for the Oracle BEA products is located at https://support.bea.com/application_content/product_portlets/securityadvisories/index.html

Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html

The CVE web site is located at: http://cve.mitre.org/

| Comments (0) AddThis Social Bookmark Button

Search All Blogs

Google Search


Only search this blog

About October 2008

This page contains all entries posted to The Oracle Global Product Security Blog in October 2008. They are listed from oldest to newest.

October 3, 2008 is the previous archive.

November 25, 2008 is the next archive.

Many more can be found on the main index page or by looking through the archives.

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle